HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
-
Upload
bradley-summers -
Category
Documents
-
view
32 -
download
0
description
Transcript of HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
1
HIPAA Security OverviewCenters for Medicare & Medicaid Services (CMS)
2
Agenda Role of CMS Security Rule Overview CMS’ HIPAA Security Strategy Providence Resolution Agreement Summary & Conclusion Q&A
3
Role of CMS CMS has delegated authority to enforce the non-privacy
provisions of the HIPAA regulations: Transactions and Code Sets Identifiers (NPI, EIN) Security
CMS is responsible for HIPAA enforcement as well as: Regulatory/Policy Interpretation Outreach and Education
Guidance and FAQs New Regulations (including other ehealth related issues
e.g. eRx)
4
Security Rule Overview Applies to Electronic Protected Health Information (EPHI)
that a covered entity creates, receives, maintains, or transmits
Scalability/Flexibility Based on organization size, complexity, technical
capabilities and infrastructure, cost of security measures and potential security risks
Technologically Neutral Describes “what” needs to be done vs. “how” it is to be
done Standards are required but the implementation specifications
may be either required or addressable
5
CMS’ HIPAA Security Strategy
CMS takes a three-prong approach to HIPAA Security. The three prongs are:
Outreach & Education Enforcement Compliance Reviews
6
Outreach and Education Efforts Federal and Non-Federal Collaboration Develop/Disseminate Educational & Guidance Materials
Security Papers
1. Administrative, Physical and Technical Safeguards
2. Basics of Risk Analysis and Risk Management3. Implementation for the Small Provider
Frequently Asked Questions Security Compliance Review Checklist Remote Use and Access Guidance
The materials can be found on the CMS Website at: http://www.cms.hhs.gov (under the link for Regulations and Guidance).
7
Outreach & Education - Remote Use & Access Guidance Rationale Increased risk to protected health information
Associated with increased remote access to EPHI Increase in workforce mobility Increase in use of portable media storage devices
Recent security related incidents
Reported loss or theft of devices containing EPHI Reported access to health information by
unauthorized users
8
Published December 28, 2006 Reiterates requirements of the HIPAA Security Rule Identifies strategies consistent with organizational
capabilities (Scalable and Flexible) Pertains to Access, Storage and Transmission of EPHI Three categories of action highlighted:
1. Conducting Security Risk Assessment
2. Developing and Implementing Policies and Procedures
3. Implementing Mitigation Strategies
Outreach & Education - Highlights of Remote Access Guidance
9
HIPAA Security Enforcement – Current Process Review complaint to determine validity and scope Notify “Filed Against Entity” (FAE) of complaint Request specific documents from the FAE Assess documents to determine if they:
1. Demonstrate compliance 2. Demonstrate the need for a Corrective Action Plan (CAP)
Monitor CAPs to completion Close complaint upon demonstration of compliance Issue closure correspondence to all parties
10
HIPAA Security Enforcement – Overlapping Complaints
CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules
Approximately 70% of the CMS Security cases are referrals from OCR
Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure
11
HIPAA Security Enforcement - Complaint Categories Unauthorized access to EPHI
Employees or relatives accessing EPHI Loss or theft of devices containing EPHI
Small volume of complaints; large volume of records Insufficient access controls for systems containing EPHI
Shared passwords Encryption
CMS has received 350 Security Rule complaints 102 cases are open 248 case have been resolved
12
Onsite HIPAA Security Compliance Reviews Contracted with Price Waterhouse Coopers (PwC)
for 10 reviews in 2008 Reviews place emphasis on remote use and access
issues CMS publishes de-identified post-review
information Initial target:
Entities against whom a complaint has been filed and Reported risk to security of large volume of records
The compliance reviews will be used as a tool to achieve voluntary compliance
13
Compliance reviews have revealed several key areas of vulnerability to include:
1. Lack of encryption for portable devices and media
2. Lack of verification of role-based access privileges Reviews have resulted in CAPs that include:
1. Policies and procedures for remote use/access
2. Designation of internal security audit personnel Compliance review cases are generally closed when
CMS verifies completion of CAP
Onsite HIPAA Security Compliance Reviews - Continued
14
OIG Security Audit Initiative
Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule
The recent OIG review of Piedmont Hospital highlighted issues related to:
Technical safeguard vulnerabilities for wireless communications
Vulnerabilities involving physical access to electronic information systems and the facilities
Administrative safeguard vulnerability related to business associate contracts
15
Providence Resolution Agreement – What Does it Mean? Background:
Case involved 386,000 unencrypted patient records $100,000 resolution amount paid to HHS 3 year corrective action monitoring
Significance: Landmark case – First resulting in monetary fine Sets the stage for similar action for similar cases Represents the evolution of CMS’ enforcement
efforts
16
Summary & Conclusion Security provides opportunity and obligation CMS’ three-pronged approach:
Outreach and Education Enforcement Compliance Review
Consequences of non-compliance: Loss of resources Loss of time Loss of TRUST
17
Discussion and Questions